Biometric Authentication Information and Device Handling Policy

Scope

This policy applies to all collection and/or use of biometric
information and/or technologies by OVPIT/UITS.

Rationale

OVPIT and UITS deploy various access protections commensurate with the
sensitivity and criticality of the information, systems, or facilities
being accessed, and recognize that authentication based on personal
characteristics, or what can broadly be termed as "biometric
authentication," can provide enhanced protection. The integrity of
the underlying information generated to support biometric
authentication is essential not only for the integrity of the
supported access protections, but also because such information may
have its own inherent sensitivity. For these reasons, the information
and devices supporting biometric authentication must be handled with
due care.

Policy Statement

The Office of the Vice President for Information Technology and Chief
Information Officer may deploy biometric access control technologies
for OVPIT facilities housing the most sensitive and critical
information systems and functions. Personal data collected by these
biometric access control technologies are in the most sensitive
category defined by university classification criteria, will be
protected in accordance with applicable standards, and will be purged
when no longer required to support the access protection function.

Procedures

All collection and/or use of biometric information and/or technologies
by OVPIT/UITS will be reviewed and approved by the Vice President for
Information Technology and CIO, or designate, before any actual
collection or use, in order to ensure appropriate security and privacy
safeguards are planned and implemented. Approved implementations will
be listed below.

List of Approved Implementations

Hand Geometry ScannerApproved: August
2009 The Bloomington Data Center employs a hand geometry scanner
as an additional layer of verification (not identification) to ensure
that only authorized individuals can gain access.

In consultation with the Chief Privacy Officer and the Chief Security
Officer, OVPIT/UITS will treat hand geometry verification data as
Restricted/Limited-Use data using the IU Data Steward Classification
Scheme. As such, it will be protected according to university policies
and standards for Restricted/Limited-Use data. OVPIT/UITS will ensure
that impacted employees receive information describing the technology
and the handling and use of the data.

Definitions

Biometric

Methods for uniquely recognizing humans based upon one or more
intrinsic physical or behavioral traits.

Biometric verification

A one-to-one comparison of a captured biometric with a stored
template to verify an individual.

Biometric data

Stored template describing biometric trait.

Hand Geometry Scanner

The device uses a simple process to measure and record the length,
width, thickness, and curvature of the individual's hand, and compares
it to a template.

Sanctions

Indiana University will handle reports of misuse and abuse of
information and information technology resources in accordance with
existing policies and procedures issued by appropriate
authorities. Depending on the individual and circumstances involved,
this could include the offices of Human Resources, Dean of Faculties
(or campus equivalent), Dean of Students (or campus equivalent),
Office of the General Counsel, and/or appropriate law enforcement
agencies. See policy Misuse and Abuse of Information Technology Resources (IT-02) for more
detail.

Failure to comply with Indiana University information technology
policies may result in sanctions relating to the individual's use of
information technology resources (such as suspension or termination of
access, or removal of online material); the individual's employment
(up to and including immediate termination of employment in accordance
with applicable university policy); the individual's studies within
the university (such as student discipline in accordance with
applicable university policy); civil or criminal liability; or any
combination of these.